Change History (8)

We could randomise LastWritten in the state file, but unfortunately, on many OSs, the file metadata on disk would record access dates & times anyway. Also see #17188, if we do randomise this, we should randomly *subtract* some time from the times written in the file.

We could randomise LastWritten in the state file, but unfortunately, on many OSs, the file metadata on disk would record access dates & times anyway.

Good point. So we would need to modify the file metadata as well. touch is an example of a program that can do this.

Also see #17188, if we do randomise this, we should randomly *subtract* some time from the times written in the file.

Unfortunately, in the case given in the presentation above, we would perhaps need to subtract hours or days to sufficiently protect the user. How much time could be subtracted before we lose the benefits of LastWritten?

Is there any alternative way for tor to detect clock changes without storing the last usage on disk?

Also see #17188, if we do randomise this, we should randomly *subtract* some time from the times written in the file.

Unfortunately, in the case given in the presentation above, we would perhaps need to subtract hours or days to sufficiently protect the user. How much time could be subtracted before we lose the benefits of LastWritten?

Is there any alternative way for tor to detect clock changes without storing the last usage on disk?

Tor already detects clock changes by making a TLS connection to the authorities, and using the time they provide. #17188 is simply an additional warning that happens early during startup when we read the state file, rather than later when we make a connection.

If we have to lose it, or make it less reliable, that's ok.
(We might also want to consider removing LastWritten entirely.)

Hmm, if we are going to change file modification or creation dates, we have to do it for *all* files tor and Tor Browser create. Even then, system files and logs associated with Tor Browser will still leak usage times.

I'm not sure if there is a solution here, apart from VMs that are destroyed after use.